

<!DOCTYPE html>
<html lang="en" dir="ltr" prefix="og: https://ogp.me/ns#" class="no-js">
  <head>
    <meta charset="utf-8" />
<script async src="https://www.googletagmanager.com/gtag/js?id=G-9MDR73GM0K"></script>
<script>window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments)};gtag("js", new Date());gtag("set", "developer_id.dMDhkMT", true);gtag("config", "G-9MDR73GM0K", {"groups":"default","page_placeholder":"PLACEHOLDER_page_location"});</script>
<link rel="canonical" href="https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors" />
<meta property="og:site_name" content="Cybersecurity and Infrastructure Security Agency CISA" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors" />
<meta property="og:title" content="CISA Releases Malware Analysis Reports on Barracuda Backdoors | CISA" />
<meta name="Generator" content="Drupal 9 (https://www.drupal.org)" />
<meta name="MobileOptimized" content="width" />
<meta name="HandheldFriendly" content="true" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="icon" href="/profiles/cisad8_gov/themes/custom/gesso/favicon.png" type="image/png" />

    <title>CISA Releases Malware Analysis Reports on Barracuda Backdoors | CISA</title>
    <link rel="stylesheet" media="all" href="/core/modules/system/css/components/ajax-progress.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/align.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/autocomplete-loading.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/fieldgroup.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/container-inline.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/clearfix.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/details.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/hidden.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/item-list.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/js.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/nowrap.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/position-container.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/progress.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/reset-appearance.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/resize.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/sticky-header.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-counter.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-counters.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/system-status-report-general-info.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/tabledrag.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/tablesort.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/system/css/components/tree-child.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/core/modules/views/css/views.module.css?ryttwc" />
<link rel="stylesheet" media="all" href="/profiles/cisad8_gov/modules/custom/toolbar_tasks/css/toolbar.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/extlink/extlink.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/ckeditor_accordion/css/ckeditor-accordion.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/better_social_sharing_buttons/css/better_social_sharing_buttons.css?ryttwc" />
<link rel="stylesheet" media="all" href="/modules/contrib/paragraphs/css/paragraphs.unpublished.css?ryttwc" />
<link rel="stylesheet" media="all" href="//fonts.googleapis.com/css2?family=Montserrat:wght@400;500;600;700&amp;family=Public+Sans:wght@400;500;600;700&amp;display=swap" />
<link rel="stylesheet" media="all" href="/profiles/cisad8_gov/themes/custom/gesso/dist/css/styles.css?ryttwc" />

    
  </head>
  <body  class="path-node not-front node-page node-page--node-type-advisory" id="top">
    
<div  class="c-skiplinks">
  <a href="#main" class="c-skiplinks__link u-visually-hidden u-focusable">Skip to main content</a>
</div>
    
      <div class="dialog-off-canvas-main-canvas" data-off-canvas-main-canvas>
    

<div  class="l-site-container">
    
      
<section  class="usa-banner" aria-label="Official government website">
  <div class="usa-accordion">  <header class="usa-banner__header">
    <div class="usa-banner__inner">
      <div class="grid-col-auto">
        <img class="usa-banner__header-flag" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/us_flag_small.png" alt="U.S. flag" />
      </div>
      <div class="grid-col-fill tablet:grid-col-auto">
        <p class="usa-banner__header-text">An official website of the United States government</p>
              <p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p></div>
        <button class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner">
          <span class="usa-banner__button-text">Here’s how you know</span>
        </button>
          </div>
  </header>
      <div class="usa-banner__content usa-accordion__content" id="gov-banner">
      <div class="grid-row grid-gap-lg">
                  <div class="usa-banner__guidance tablet:grid-col-6">
            <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-dot-gov.svg" alt="Dot gov">
            <div class="usa-media-block__body">
              <p>
                <strong>Official websites use .gov</strong>
                <br> A <strong>.gov</strong> website belongs to an official government organization in the United States.
              </p>
            </div>
          </div>
                  <div class="usa-banner__guidance tablet:grid-col-6">
            <img class="usa-banner__icon usa-media-block__img" src="/profiles/cisad8_gov/themes/custom/gesso/dist/images/icon-https.svg" alt="HTTPS">
            <div class="usa-media-block__body">
              <p>
                <strong>Secure .gov websites use HTTPS</strong>
                <br> A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
              </p>
            </div>
          </div>
              </div>
    </div>
  </div>
  </section>

  
  


<div class="usa-overlay"></div>
<header  class="usa-header usa-header--extended" role="banner">
        
<div  class="usa-navbar">
  <div class="l-constrain">
    <div class="usa-navbar__row">
      <div class="usa-navbar__brand">
        
<a  class="c-site-name" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage">
  <span class="c-site-name__text">Cybersecurity &amp; Infrastructure Security Agency</span>
</a>        <div class="usa-navbar__tagline">America's Cyber Defense Agency</div>
      </div>
      <div class="usa-navbar__search">
        <div class="usa-navbar__search-header">
          <p>Search</p>
        </div>
        
<div  class="usa-search">
  <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script>
  <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div>
</div>
      </div>
      <button class="mobile-menu-button usa-menu-btn">Menu</button>
    </div>
  </div>
</div>
    

<nav  class="usa-nav" role="navigation" aria-label="Primary navigation">
  <div class="usa-nav__inner l-constrain">
    <div class="usa-nav__row">
      <button class="usa-nav__close">Close</button>
      
<div  class="usa-search">
  <script async src=https://cse.google.com/cse.js?cx=ffc4c79e29d5b3a8c></script>
  <div class="gcse-searchbox-only" data-resultsurl="/search">&nbsp;</div>
</div>
                
  
          <ul class="usa-nav__primary usa-accordion">
    
    
              <li class="usa-nav__primary-item topics">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-1">
          <span>Topics</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-1" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/topics">Topics</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/cybersecurity-best-practices">
          <span>Cybersecurity Best Practices</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/cyber-threats-and-advisories">
          <span>Cyber Threats and Advisories</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/critical-infrastructure-security-and-resilience">
          <span>Critical Infrastructure Security and Resilience</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/election-security">
          <span>Election Security</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/emergency-communications">
          <span>Emergency Communications</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/industrial-control-systems">
          <span>Industrial Control Systems</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/information-communications-technology-supply-chain-security">
          <span>Information and Communications Technology Supply Chain Security</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/partnerships-and-collaboration">
          <span>Partnerships and Collaboration</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/physical-security">
          <span>Physical Security</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/topics/risk-management">
          <span>Risk Management</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          

<div  class="c-menu-feature-links">
      <div class="c-menu-feature-links__title">
      <a href="/audiences">        How can we help?
      </a>    </div>
        <div class="c-menu-feature-links__content"><a href="/topics/government">Government</a><a href="/topics/educational-institutions">Educational Institutions</a><a href="/topics/industry">Industry</a><a href="/topics/state-local-tribal-and-territorial">State, Local, Tribal, and Territorial</a><a href="/topics/individuals-and-families">Individuals and Families</a><a href="/topics/small-and-medium-businesses">Small and Medium Businesses</a><a href="/audiences/find-help-locally">Find Help Locally</a></div>
  </div>

              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item spotlight">
      
      
                      <a href="/spotlight" class="usa-nav__link" >
          <span>Spotlight</span>
        </a>
              
              </li>
          
              <li class="usa-nav__primary-item resources--tools">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-3">
          <span>Resources &amp; Tools</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-3" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/resources-tools">Resources &amp; Tools</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/all-resources-tools">
          <span>All Resources &amp; Tools</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/services">
          <span>Services</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/programs">
          <span>Programs</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/resources">
          <span>Resources</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/training">
          <span>Training</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/resources-tools/groups">
          <span>Groups</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item news--events">
      
              <button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="basic-mega-nav-section-4">
          <span>News &amp; Events</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-4" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/news-events">News &amp; Events</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/news">
          <span>News</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/events">
          <span>Events</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/cybersecurity-advisories">
          <span>Cybersecurity Alerts &amp; Advisories</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/directives">
          <span>Directives</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/request-speaker">
          <span>Request a CISA Speaker</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/news-events/congressional-testimony">
          <span>Congressional Testimony</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item careers">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-5">
          <span>Careers</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-5" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/careers">Careers</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/benefits-perks">
          <span>Benefits &amp; Perks</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/hirevue-applicant-reasonable-accommodations-process">
          <span>HireVue Applicant Reasonable Accommodations Process</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/general-recruitment-and-hiring-faqs">
          <span>Hiring</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/resume-application-tips">
          <span>Resume &amp; Application Tips</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/students-recent-graduates-employment-opportunities">
          <span>Students &amp; Recent Graduates</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/veteran-and-military-spouse-employment-opportunities">
          <span>Veteran and Military Spouses</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/careers/work-cisa">
          <span>Work @ CISA</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
              <li class="usa-nav__primary-item about">
      
              <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="basic-mega-nav-section-6">
          <span>About</span>
        </button>
      
                
  
          <div id="basic-mega-nav-section-6" class="usa-nav__submenu usa-megamenu" hidden="">

              <div class="usa-megamenu__parent-link">
          <a href="/about">About</a>
        </div>
              <div class="usa-megamenu__menu-items">
    
    
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/culture">
          <span>Culture</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/divisions-offices">
          <span>Divisions &amp; Offices</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/regions">
          <span>Regions</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/leadership">
          <span>Leadership</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/doing-business-cisa">
          <span>Doing Business with CISA</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/about/contact-us">
          <span>Contact Us</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/site-links">
          <span>Site Links</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/reporting-employee-and-contractor-misconduct">
          <span>Reporting Employee and Contractor Misconduct</span>
        </a>
                  </div>
              
              </div>
          
              <div class="usa-col">

              
      
                        <div class="usa-nav__submenu-item">
                <a href="/cisa-github">
          <span>CISA GitHub</span>
        </a>
                  </div>
              
              </div>
          
            </div>
                          
              </div>
    
  
      
              </li>
          
    
      </ul>
    
  


                    <a href="/report" class="c-button c-button--report">Report a Cyber Issue</a>
          </div>
  </div>
</nav>
    </header>


  <div class="gesso-mobile-tagline-container">
    <div class="usa-navbar__tagline">America's Cyber Defense Agency</div>
  </div>

  
  
<div  class="l-breadcrumb">
  <div class="l-constrain">
    <div class="l-breadcrumb__row">
      







  
  
    

  
              


<nav  aria-labelledby="breadcrumb-label" class="c-breadcrumb" role="navigation">
  <div class="l-constrain">
    <div
       id="breadcrumb-label" class="c-breadcrumb__title  u-visually-hidden">Breadcrumb</div>
    <ol class="c-breadcrumb__list">
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/">Home</a>
                  </li>
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/news-events">News & Events</a>
                  </li>
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories">Cybersecurity Advisories</a>
                  </li>
              <li class="c-breadcrumb__item">
                      <a class="c-breadcrumb__link" href="/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A93">Alert</a>
                  </li>
          </ol>
  </div>
</nav>

  
  
  
  






  <div  id="block-bettersocialsharingbuttons" class="c-block c-block--social-share c-block--provider-better-social-sharing-buttons c-block--id-social-sharing-buttons-block">

  
  
    

      <div  class="c-block__content">
  
      <div class="c-block__row">
      <span>Share:</span>
      

<div style="display: none"><link rel="preload" href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg" as="image" type="image/svg+xml" crossorigin="anonymous" /></div>

<div class="social-sharing-buttons">
                <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors&amp;title=CISA%20Releases%20Malware%20Analysis%20Reports%20on%20Barracuda%20Backdoors" target="_blank" title="Share to Facebook" aria-label="Share to Facebook" class="social-sharing-buttons__button share-facebook" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#facebook" />
            </svg>
        </a>
    
                <a href="https://twitter.com/intent/tweet?text=CISA%20Releases%20Malware%20Analysis%20Reports%20on%20Barracuda%20Backdoors+https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors" target="_blank" title="Share to Twitter" aria-label="Share to Twitter" class="social-sharing-buttons__button share-twitter" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#twitter" />
            </svg>
        </a>
    
        
        
        
                <a href="https://www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors" target="_blank" title="Share to Linkedin" aria-label="Share to Linkedin" class="social-sharing-buttons__button share-linkedin" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#linkedin" />
            </svg>
        </a>
    
        
        
        
        
        
                <a href="mailto:?subject=CISA%20Releases%20Malware%20Analysis%20Reports%20on%20Barracuda%20Backdoors&amp;body=https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors" title="Share to Email" aria-label="Share to Email" class="social-sharing-buttons__button share-email" target="_blank" rel="noopener">
            <svg width="18px" height="18px" style="border-radius:3px;">
                <use href="/modules/contrib/better_social_sharing_buttons/assets/dist/sprites/social-icons--no-color.svg#email" />
            </svg>
        </a>
    
        
    </div>

    </div>
  
      </div>
  
  
  </div>

    </div>
  </div>
</div>

  
  

  <main id="main" class="c-main" role="main" tabindex="-1">
    
      
    


<div  class="l-content">
          







  
  
    

  
            





<div  role="article" class="is-promoted l-full">
    <div class="l-full__header">
        
<div  class="c-page-title">
  <div class="c-page-title__inner l-constrain">
    <div class="c-page-title__row">
      <div class="c-page-title__content">
                  <div class="c-page-title__meta">Alert</div>
                <h1 class="c-page-title__title">
<span>CISA Releases Malware Analysis Reports on Barracuda Backdoors</span>
</h1>
                                                          <div class="c-page-title__fields">  




<div  class="c-field c-field--name-field-last-updated c-field--type-datetime c-field--label-above">
  <div  class="c-field__label">Last Revised</div><div class="c-field__content"><time datetime="2023-08-09T12:00:00Z">August 09, 2023</time></div></div>

  
</div>
                        
        
      </div>
          </div>
    <div class="c-page-title__decoration"></div>
  </div>
</div>
    </div>
    <div class="l-full__main">
                      

<div  class="l-page-section l-page-section--rich-text">
      <div class="l-constrain">
  
  
  <div class="l-page-section__content">
          <p><em>Updated August 9, 2023 </em></p>
<p>CISA has published an additional malware analysis report associated with malicious Barracuda activity. The report provides analysis on four malware samples, including:  </p>
<ul><li>
<p>WHIRLPOOL – WHIRLPOOL is a backdoor that establishes a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server. </p>
</li>
</ul><p>For more information, including indicators of compromise and YARA rules for detection, see the following malware analysis report: </p>
<ul><li>
<p><a href="/news-events/analysis-reports/ar23-221a">SEASPY and WHIRLPOOL Backdoors MAR-10454006.r4.v2.CLEAR </a></p>
</li>
</ul><p><em>End of update </em></p>
<p>CISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a <a href="https://www.barracuda.com/company/legal/esg-vulnerability">zero day</a> as early as October 2022 to gain access to ESG appliances. According to <a href="https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally">industry reporting</a>, the actors exploited the vulnerability to gain initial access to victim systems and then implanted backdoors to establish and maintain persistence.</p>
<p>CISA analyzed backdoor malware variants obtained from an organization that had been compromised by threat actors exploiting the vulnerability.</p>
<ul><li><strong>Barracuda Exploit Payload and Backdoor </strong>– The payload exploits CVE-2023-2868, leading to dropping and execution of a reverse shell backdoor on ESG appliance. The reverse shell establishes communication with the threat actor’s command and control (C2) server, from where it downloads the SEASPY backdoor to the ESG appliance. The actors delivered the payload to the victim via a phishing email with a malicious attachment.</li>
<li><strong>SEASPY</strong> – SEASPY is a persistent and passive backdoor that masquerades as a legitimate Barracuda service. SEASPY monitors traffic from the actor’s C2 server. When the right packet sequence is captured, it establishes a Transmission Control Protocol (TCP) reverse shell to the C2 server. The shell allows the threat actors to execute arbitrary commands on the ESG appliance.</li>
<li><strong>SUBMARINE </strong>– SUBMARINE is a novel persistent backdoor executed with root privileges that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command and control, and cleanup. CISA also analyzed artifacts related to SUBMARINE that contained the contents of the compromised SQL database. This malware poses a severe threat for lateral movement.</li>
</ul><p>For more information, including indicators of compromise and YARA rules for detection, on the exploit payload, SEASPY, and SUBMARINE backdoor, see the following Malware Analysis Reports:</p>
<ul><li><a href="/news-events/analysis-reports/ar23-209c">Exploit Payload Backdoor MAR-10454006-r3.v1.CLEAR</a></li>
<li><a href="/news-events/analysis-reports/ar23-209b">SEASPY Backdoor MAR-10454006-r2.v1.CLEAR</a></li>
<li><a href="/news-events/analysis-reports/ar23-209a">SUBMARINE Backdoor MAR-10454006-r1.v2.CLEAR</a></li>
</ul><p>For more information on CVE-2023-2868 see, Barracuda’s page <a href="https://www.barracuda.com/company/legal/esg-vulnerability">Barracuda Email Security Gateway Appliance (ESG) Vulnerability</a> and Mandiant’s blogpost <a href="https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally">Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor</a>.</p>
<p>To report suspicious or criminal activity related to information found in these malware analysis reports, contact CISA’s 24/7 Operations Center at <a href="mailto:Report@cisa.gov">Report@cisa.gov</a> or (888) 282-0870.</p>

      </div>

  
      </div>
  </div>
      <div class="l-constrain l-page-section--rich-text">
        <div class="l-page-section__content">
          




<div  class="c-field c-field--name-body c-field--type-text-with-summary c-field--label-hidden">
  <div class="c-field__content"><p>This product is provided subject to this <a href="/notification" rel="nofollow noopener" target="_blank" title="Follow link">Notification</a> and this <a href="/privacy-policy" rel="nofollow noopener" target="_blank" title="Follow link">Privacy &amp; Use</a> policy.</p></div></div>

        </div>
      </div>
            </div>
        <div class="l-full__footer">
                              
<div class="l-constrain">
  <div class="l-page-section--rich-text">
    <div class="l-page-section__content">
      <div  class="c-product-survey l-page-section--tags l-page-section--rich-text">
        <div class="c-product-survey__top-bar"></div>
        <div class="c-product-survey__content-area">
          <div class="c-product-survey__icon"></div>
          <div class="c-product-survey__text-area">
            <h2>Please share your thoughts</h2>
            <p>We recently updated our anonymous <a href="https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors">product survey</a>; we’d welcome your feedback.</p>
          </div>
        </div>
      </div>
    </div>
  </div>
</div>
          

  

<div  class="c-view c-view--detail-page-related-content c-view--display-block_2 view js-view-dom-id-d016baf1add40d1b7e2ed6af9a1e96b63f7beb2e9df556fefe2f2252f167f41c c-collection c-collection--blue c-collection--two-column">
  <div class="l-constrain">
    <div class="c-collection__row">
              <div class="c-collection__content">
                      <h2 class="c-collection__title"><span class="c-collection__title-wrap">Related Advisories</span></h2>
                                      </div>
                  <div class="c-collection__cards">
        



      



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-08-10T12:00:00Z">Aug 10, 2023</time>
</div>
                                <div class="c-teaser__meta">Alert</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/alerts/2023/08/10/cisa-releases-twelve-industrial-control-systems-advisories" target="_self">          
<span>CISA Releases Twelve Industrial Control Systems Advisories</span>

        </a>      </h3>
          </div>
  </div>
</article>


        



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-08-09T12:00:00Z">Aug 09, 2023</time>
</div>
                                <div class="c-teaser__meta">Alert</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/alerts/2023/08/09/cisa-adds-one-known-exploited-vulnerability-catalog" target="_self">          
<span>CISA Adds One Known Exploited Vulnerability to Catalog</span>

        </a>      </h3>
          </div>
  </div>
</article>


        



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-08-08T12:00:00Z">Aug 08, 2023</time>
</div>
                                <div class="c-teaser__meta">Alert</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/alerts/2023/08/08/fortinet-releases-security-update-fortios" target="_self">          
<span>Fortinet Releases Security Update for FortiOS </span>

        </a>      </h3>
          </div>
  </div>
</article>


        



<article  role="article" class="is-promoted c-teaser c-teaser--horizontal" role="article">
  <div class="c-teaser__row">
        <div class="c-teaser__content">
              <div class="c-teaser__eyebrow">
                      <div class="c-teaser__date"><time datetime="2023-08-08T12:00:00Z">Aug 08, 2023</time>
</div>
                                <div class="c-teaser__meta">Alert</div>
                  </div>
            <h3 class="c-teaser__title">
        <a href="/news-events/alerts/2023/08/08/adobe-releases-security-updates-multiple-products" target="_self">          
<span>Adobe Releases Security Updates for Multiple Products</span>

        </a>      </h3>
          </div>
  </div>
</article>


  
      </div>
    </div>
          </div>
</div>


          </div>
  </div>
  
  
  
  

      </div>

  
  </main>

  

<footer  class="usa-footer usa-footer--slim" role="contentinfo">
    <div class="usa-footer__return-to-top">
    <div class="l-constrain">
      <a href="#">Return to top</a>
    </div>
  </div>
    <div class="usa-footer__upper">
    <div class="l-constrain">
      







  
  
    

  
            

                                <ul  class="c-menu c-menu--footer-main">
        
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/topics" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7329">Topics</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/spotlight" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7330">Spotlight</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/resources-tools" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7331">Resources &amp; Tools</a>
                        </li>
    
                                            
                                                    
      
      
      <li  class="c-menu__item is-active-trail">
                              <a href="/news-events" class="c-menu__link js-top-level is-active-trail" aria-current="false" data-drupal-link-system-path="node/7332">News &amp; Events</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/careers" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/7323">Careers</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/about" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="node/6944">About</a>
                        </li>
        </ul>
  

  
  
  
  

    </div>
  </div>
    <div class="usa-footer__main">
    <div class="l-constrain">
      <div class="usa-footer__main-row">
        <div class="usa-footer__brand">
          
<a  class="c-site-name c-site-name--footer" href="/" rel="home" title="Go to the Cybersecurity & Infrastructure Security Agency homepage">
  <span class="c-site-name__text">Cybersecurity &amp; Infrastructure Security Agency</span>
</a>        </div>
        <div class="usa-footer__contact">
                      

                                <ul  class="c-menu c-menu--social">
        
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.facebook.com/CISA" class="c-menu__link--facebook c-menu__link js-top-level" aria-current="false">Facebook</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://twitter.com/CISAgov" class="c-menu__link--twitter c-menu__link js-top-level" aria-current="false">Twitter</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency" class="c-menu__link--linkedin c-menu__link js-top-level" aria-current="false">LinkedIn</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.youtube.com/@cisagov" class="c-menu__link--youtube c-menu__link js-top-level" aria-current="false">YouTube</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="https://www.instagram.com/cisagov" class="c-menu__link--instagram c-menu__link js-top-level" aria-current="false">Instagram</a>
                        </li>
    
                                            
                                                            
      
      
      <li  class="c-menu__item">
                              <a href="/subscribe-updates-cisa" class="c-menu__link--rss c-menu__link js-top-level" aria-current="false">RSS</a>
                        </li>
        </ul>
  

                    <div class="usa-footer__contact-info">
            <span>CISA Central</span>
            <a href="tel:8882820870">888-282-0870</a>
            <a href="mailto:central@cisa.dhs.gov">Central@cisa.dhs.gov</a>
          </div>
        </div>
      </div>
    </div>
  </div>
    <div class="usa-footer__lower">
    <div class="l-constrain">
      <div class="usa-footer__lower-row">
        <div class="usa-footer__lower-left">
          
<div  class="c-dhs-logo">
  <div class="c-dhs-logo__seal">DHS Seal</div>
  <div class="c-dhs-logo__content">
    <div class="c-dhs-logo__url">CISA.gov</div>
    <div class="c-dhs-logo__text">An official website of the U.S. Department of Homeland Security</div>
  </div>
</div>                      


                                <ul  class="c-menu c-menu--footer">
        
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/about" class="c-menu__link js-top-level" title="About CISA" aria-current="false" data-drupal-link-system-path="node/6944">About CISA</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov/accessibility" class="c-menu__link js-top-level" title="Accessibility" aria-current="false">Accessibility</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov/performance-financial-reports" class="c-menu__link js-top-level" title="Budget and Performance" aria-current="false">Budget and Performance</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov" title="Department of Homeland Security" class="c-menu__link js-top-level" aria-current="false">DHS.gov</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.dhs.gov/foia" class="c-menu__link js-top-level" title="FOIA Requests" aria-current="false">FOIA Requests</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/cisa-no-fear-act-reporting" title="No FEAR Act Reporting" class="c-menu__link js-top-level" aria-current="false">No FEAR Act</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.oig.dhs.gov/" class="c-menu__link js-top-level" title="Office of Inspector General" aria-current="false">Office of Inspector General</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/privacy-policy" class="c-menu__link js-top-level" title="Privacy Policy" aria-current="false" data-drupal-link-system-path="node/16115">Privacy Policy</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138" title="Subscribe to Email Updates" class="c-menu__link js-top-level" aria-current="false">Subscribe</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.whitehouse.gov/" class="c-menu__link js-top-level" title="The White House" aria-current="false">The White House</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="https://www.usa.gov/" class="c-menu__link js-top-level" title="USA.gov" aria-current="false">USA.gov</a>
                        </li>
    
                                            
                              
      
      
      <li  class="c-menu__item">
                              <a href="/forms/feedback" title="Website Feedback" class="c-menu__link js-top-level" aria-current="false" data-drupal-link-system-path="forms/feedback">Website Feedback</a>
                        </li>
        </ul>
  

                  </div>
        <div class="usa-footer__lower-right">
          <iframe
            src="https://www.dhs.gov/ntas/"
            name="National Terrorism Advisory System"
            title="National Terrorism Advisory System"
            width="170"
            height="180"
            scrolling="no"
            frameborder="0"
            seamless border="0"
          ></iframe>
        </div>
      </div>
    </div>
  </div>
</footer>


</div>

  </div>

    
        <script type="application/json" data-drupal-selector="drupal-settings-json">{"path":{"baseUrl":"\/","scriptPath":null,"pathPrefix":"","currentPath":"node\/18545","currentPathIsAdmin":false,"isFront":false,"currentLanguage":"en"},"pluralDelimiter":"\u0003","suppressDeprecationErrors":true,"google_analytics":{"account":"G-9MDR73GM0K","trackOutbound":true,"trackMailto":true,"trackTel":true,"trackDownload":true,"trackDownloadExtensions":"7z|aac|arc|arj|asf|asx|avi|bin|csv|doc(x|m)?|dot(x|m)?|exe|flv|gif|gz|gzip|hqx|jar|jpe?g|js|mp(2|3|4|e?g)|mov(ie)?|msi|msp|pdf|phps|png|ppt(x|m)?|pot(x|m)?|pps(x|m)?|ppam|sld(x|m)?|thmx|qtm?|ra(m|r)?|sea|sit|tar|tgz|torrent|txt|wav|wma|wmv|wpd|xls(x|m|b)?|xlt(x|m)|xlam|xml|z|zip"},"data":{"extlink":{"extTarget":false,"extTargetNoOverride":false,"extNofollow":false,"extNoreferrer":false,"extFollowNoOverride":false,"extClass":"ext","extLabel":"(link is external)","extImgClass":false,"extSubdomains":true,"extExclude":"(.\\.gov$)|(.\\.mil$)|(.\\.mil\/)|(.\\.gov\/)","extInclude":"","extCssExclude":".c-menu--social,.c-menu--footer,.c-social-links,.c-text-cta--button","extCssExplicit":"","extAlert":true,"extAlertText":"You are now leaving an official website of the United State Government (USG), the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Links to non-USG, non-DHS and non-CISA sites are provided for the visitor\u0027s convenience and do not represent an endorsement by USG, DHS or CISA of any commercial or private issues, products or services. Note that the privacy policy of the linked site may differ from that of USG, DHS and CISA.","mailtoClass":"mailto","mailtoLabel":"(link sends email)","extUseFontAwesome":false,"extIconPlacement":"append","extFaLinkClasses":"fa fa-external-link","extFaMailtoClasses":"fa fa-envelope-o","whitelistedDomains":[]}},"ckeditorAccordion":{"accordionStyle":{"collapseAll":1,"keepRowsOpen":0}},"user":{"uid":0,"permissionsHash":"2e28e3d4cecae698758a87360e5c783a3a6bbf12a454265e787234af3fdfaba5"}}</script>
<script src="/core/assets/vendor/jquery/jquery.min.js?v=3.6.3"></script>
<script src="/core/misc/polyfills/element.matches.js?v=9.5.10"></script>
<script src="/core/misc/polyfills/object.assign.js?v=9.5.10"></script>
<script src="/core/assets/vendor/once/once.min.js?v=1.0.1"></script>
<script src="/core/assets/vendor/jquery-once/jquery.once.min.js?v=2.2.3"></script>
<script src="/core/misc/drupalSettingsLoader.js?v=9.5.10"></script>
<script src="/core/misc/drupal.js?v=9.5.10"></script>
<script src="/core/misc/drupal.init.js?v=9.5.10"></script>
<script src="/modules/contrib/google_analytics/js/google_analytics.js?v=9.5.10"></script>
<script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/common.js?ryttwc"></script>
<script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds-init.es6.js?ryttwc"></script>
<script src="/profiles/cisad8_gov/themes/custom/gesso/dist/js/uswds.es6.js?ryttwc"></script>
<script src="https://dap.digitalgov.gov/Universal-Federated-Analytics-Min.js?" id="_fed_an_ua_tag"></script>
<script src="/modules/contrib/extlink/extlink.js?v=9.5.10"></script>
<script src="/core/misc/jquery.once.bc.js?v=9.5.10"></script>
<script src="/modules/contrib/ckeditor_accordion/js/ckeditor-accordion.js?v=1.x"></script>

  </body>
</html>
